ansible/oopen-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update...

Browse Source
This commit is contained in:
Christoph
2023-05-01 10:47:10 +02:00
parent 9766f7841e
commit bb57e8e555
35 changed files with 1416 additions and 274 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
roles/common/files/b.mx/etc/postfix/postfwd.bl-hosts
View File

@ -1,22 +0,0 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# hosts blocked by postfwd
#
# This file is called with '=~'. This means perl regexp is possible
#
#
# To increase performance use ^ and/or $ in regular expressions
#
# Example:
#
# # block all hosts of domain 'oopen.de'
# \.oopen\.de$
#
# # block host a.mx.oopen.de
# ^a\.mx\.oopen\.de$
#
# ---
# give hostnames to blocke here

16
roles/common/files/b.mx/etc/postfix/postfwd.bl-nets
View File

@ -1,16 +0,0 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# Networks blocked by postfwd
#
# Example:
#
# # web0.warenform.de
# #83.223.86.76
# #2a01:30:0:505:286:96ff:fe4a:6ee
# #2a01:30:0:13:286:96ff:fe4a:6eee
#
# ---
# give networks to block here

38
roles/common/files/b.mx/etc/postfix/postfwd.bl-sender
View File

@ -1,38 +0,0 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# Sender addresses blocked by postfwd
#
# This file is called with '=~'. This means perl regexp is possible
#
#
# To increase performance use ^ and/or $ in regular expressions
#
# @acieu\.co\.uk$
# ^error@mailfrom.com$
#
# instedt of
#
# @acieu.co.uk
# error@mailfrom.com
#
#
# Example:
#
# # # annoying spammer domains
# # block all senders of maildomaindomain 'oopen.de'
# @acieu\.co\.uk$
#
# # annoying spammer addresses
# # block sender address
# error@mailfrom.com
# sqek@eike\.se$
#
# ---
# annoying spammer domains
@acieu\.co\.uk$
# annoying spammer addresses
^error@mailfrom\.com$
^sqek@eike\.se$

13
roles/common/files/b.mx/etc/postfix/postfwd.bl-user
View File

@ -1,13 +0,0 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# SASL Users blocked by postfwd
#
# Example:
#
# # give SASL usernames to block here
# ckubu@oopen.de
#
# ---
# give SASL usernames to block here

172
roles/common/files/b.mx/etc/postfix/postfwd.cf
View File

@ -1,172 +0,0 @@
#======= Definitions ============
# Match messages with an associated SASL username
&&SASL_AUTH {
sasl_username!~^$
}
# Trusted networks
&&TRUSTED_NETS {
client_address==file:/etc/postfix/postfwd.wl-nets
}
# Trusted hostnames
# client_name~=.warenform.de$
&&TRUSTED_HOSTS {
client_name=~file:/etc/postfix/postfwd.wl-hosts
}
# Trusted users
&&TRUSTED_USERS {
sasl_username==file:/etc/postfix/postfwd.wl-user
}
# Trusted senders
&&TRUSTED_SENDERS {
sender=~file:/etc/postfix/postfwd.wl-sender
}
# Blacklist networks
&&BLOCK_NETS {
client_address==file:/etc/postfix/postfwd.bl-nets
}
# Blacklist hostnames
&&BLOCK_HOSTS {
client_name=~file:/etc/postfix/postfwd.bl-hosts
}
# Blacklist users
&&BLOCK_USERS {
sasl_username==file:/etc/postfix/postfwd.bl-user
}
# Blacklist sender adresses
&&BLOCK_SENDER {
# =~
# using '=~' allows also matching entries for domains (i.e. @acieu.co.uk)
sender=~file:/etc/postfix/postfwd.bl-sender
}
# Inbound emails only
&&INCOMING {
client_address!=127.0.0.1
}
#======= Rule Sets ============
# ---
#
# Processing of the Rule Sets
#
# The parser checks the elements of a policy delegation request against the postfwd set
# of rules and, if necessary, triggers the configured action (action=). Similar to a
# classic firewall, a rule is considered true if every element of the set of rules (or
# one from every element list) applies to the comparison. I.e. the following rule:
#
# client_address=1.1.1.1, 1.1.1.2; client_name==unknown; action=REJECT
#
# triggers a REJECT if the
#
# Client address is equal (1.1.1.1 OR 1.1.1.2) AND the client name 'unknown'
#
#
# Note:
# If an element occurs more than once, an element list is formed:
#
# The following rule set is equivalent to the above:
#
# client_address=1.1.1.1; client_address=1.1.1.2; client_name==unknown; action=REJECT
#
#
# triggers a REJECT if (as above) the
#
# Client address (1.1.1.1 OR 1.1.1.2) AND the client name 'unknown'
#
# ---
# Whitelists
# Whitelist trusted networks
id=WHL_NETS
&&TRUSTED_NETS
action=DUNNO
# Whitelist trusted hostnames
id=WHL_HOSTS
&&TRUSTED_HOSTS
action=DUNNO
# Whitelist sasl users
id=WHL_USERS
&&TRUSTED_USERS
action=DUNNO
# Whitelist senders
id=WHL_SENDERS
&&INCOMING
&&TRUSTED_SENDERS
action=DUNNO
# Blacklists
# Block networks
id=BL_NETS
&&BLOCK_NETS
action=REJECT Network Address $$client_address blocked by Mailserver admins. Error: BL_NETS
# Block hostname
id=BL_HOSTS
&&BLOCK_HOSTS
action=REJECT $$client_name blocked by Mailserver admins. Error: BL_HOSTS
# Block users
id=BL_USERS
&&BLOCK_USERS
action=REJECT User is blocked by Mailserver admins. Error: BL_USERS
# Blacklist sender
#
# Claim successful delivery and silently discard the message.
#
id=BL_SENDER
&&BLOCK_SENDER
#action=DISCARD
action=REJECT Sender address is blocked by Mailserver admins. Error: BL_SENDER
# Rate Limits
# Throttle unknown clients to 5 recipients per 5 minutes:
id=RATE_UNKNOWN_CLIENT_ADDR
sasl_username =~ /^$/
client_name==unknown
action=rate(client_address/5/300/450 4.7.1 only 5 recipients per 5 minutes allowed)
# Block clients (ip-addresses) sending more than 50 messages per minute exceeded. Error:RATE_CLIENT)
id=RATE_CLIENT_ADDR
&&INCOMING
action=rate($$client_address/50/60/421 421 4.7.0 Too many connections from $$client_address)
# Block messages with more than 50 recipients
id=BLOCK_MSG_RCPT
&&INCOMING
&&SASL_AUTH
recipient_count=50
action=REJECT Too many recipients, please reduce to less than 50 or consider using a mailing list. Error: BLOCK_MSG_RCPT
# Block users sending more than 50 messages/hour
id=RATE_MSG
&&INCOMING
&&SASL_AUTH
action=rate($$sasl_username/50/3600/450 4.7.1 Number messages per hour exceeded. Error:RATE_MSG)
# Block users sending more than 250 recipients total/hour
id=RATE_RCPT
&&INCOMING
&&SASL_AUTH
action=rcpt($$sasl_username/250/3600/450 4.7.1 Number recipients per hour exceeded. Error:RATE_RCPT)

22
roles/common/files/b.mx/etc/postfix/postfwd.wl-hosts
View File

@ -1,22 +0,0 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# Trusted hosts whitelisted by postfwd
#
# This file is called with '=~'. This means perl regexp is possible
#
#
# To increase performance use ^ and/or $ in regular expressions
#
# Example:
#
# # all hosts of domain 'oopen.de'
# \.oopen\.de$
#
# # host a.mx.oopen.de
# ^a\.mx\.oopen\.de$
#
# ---
# give truested hostnames here

4
roles/common/files/b.mx/etc/postfix/postfwd.wl-nets
View File

@ -13,3 +13,7 @@
# ---
# give truested networrk adresses here
# d.mx.oopen.de (listen server)
95.217.204.227
2a01:4f9:4a:47e5::227

3
roles/common/files/b.mx/etc/postfix/postfwd.wl-sender
View File

@ -19,4 +19,7 @@
# ---
# give trusted sender addresses here
^noreply@login\.ubuntu\.com$
^check_local_es_service@oolm-shop\.oopen\.de$
^root@oolm-shop\.oopen\.de$

16
roles/common/files/b.mx/etc/postfix/postfwd.wl-user
View File

@ -1,16 +0,0 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# SASL Users whitelisted by postfwd
#
# example:
#
# # give trusted sasl usernames here
# ckubu@oopen.de
# vertrieb@akweb.de
#
# ---
# give trusted sasl usernames here
kanzlei-kiel@b.mx.oopen.de

182
roles/common/files/b.mx/etc/postfix/relay_domains Normal file
View File

@ -0,0 +1,182 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
## - a.mx.oopen.de
## -
## - create relay-domain list for host a.mx.oopen.de:
## - cd /var/vmail
## - for _domain in $(ls) ; do [[ -d "$_domain" ]] && echo -e "$_domain\033[40G:[a.mx.oopen.de]" ; done
## -
afa-ost.de :[a.mx.oopen.de]
agberatung-berlin.org :[a.mx.oopen.de]
aku-punkt-berlin.de :[a.mx.oopen.de]
akweb.de :[a.mx.oopen.de]
amberg-dolmetschen.de :[a.mx.oopen.de]
anwaeltinnenbuero.info :[a.mx.oopen.de]
anwaeltinnenbuero.net :[a.mx.oopen.de]
anwaeltinnen.de :[a.mx.oopen.de]
anwalthoffmann.de :[a.mx.oopen.de]
anwalt-klinggraeff.de :[a.mx.oopen.de]
anwalt-schrage.de :[a.mx.oopen.de]
anw-nbg.de :[a.mx.oopen.de]
azzellini.net :[a.mx.oopen.de]
b3-bornim.de :[a.mx.oopen.de]
behrens-boehlo.de :[a.mx.oopen.de]
beitragen-statt-wegnehmen.de :[a.mx.oopen.de]
berliner-register.de :[a.mx.oopen.de]
berlin-gegen-nazis.de :[a.mx.oopen.de]
bildungswege.org :[a.mx.oopen.de]
buelos.de :[a.mx.oopen.de]
cacn.de :[a.mx.oopen.de]
cakebook.de :[a.mx.oopen.de]
christoph-mauler.de :[a.mx.oopen.de]
commonground.community :[a.mx.oopen.de]
fluechtlingsrat-brandenburg.de :[a.mx.oopen.de]
georgrohde.de :[a.mx.oopen.de]
glx-consulting.com :[a.mx.oopen.de]
groenlandpaddel-berlin.de :[a.mx.oopen.de]
gruppe-freital-nebenklage.de :[a.mx.oopen.de]
halbzwei.com :[a.mx.oopen.de]
herrschaftskritik.org :[a.mx.oopen.de]
il-pad.oopen.de :[a.mx.oopen.de]
incredible-dharavi.org :[a.mx.oopen.de]
jo.oopen.de :[a.mx.oopen.de]
k8h.de :[a.mx.oopen.de]
kar-loh.de :[a.mx.oopen.de]
kluuu.com :[a.mx.oopen.de]
koma-elektronik.com :[a.mx.oopen.de]
kottbusserdamm.net :[a.mx.oopen.de]
lubax.de :[a.mx.oopen.de]
mail-ga.de :[a.mx.oopen.de]
mbr-berlin.de :[a.mx.oopen.de]
meet2.oopen.de :[a.mx.oopen.de]
meet.agberatung-berlin.org :[a.mx.oopen.de]
meet.akweb.de :[a.mx.oopen.de]
meet.anwaeltinnenbuero.net :[a.mx.oopen.de]
meet.oopen.de :[a.mx.oopen.de]
meet.reachoutberlin.de :[a.mx.oopen.de]
mimecentrum.de :[a.mx.oopen.de]
mossestrasse.de :[a.mx.oopen.de]
netclimbers.de :[a.mx.oopen.de]
nsu-nebenklage.de :[a.mx.oopen.de]
oopen.de :[a.mx.oopen.de]
opferperspektive.de :[a.mx.oopen.de]
opra-gewalt.de :[a.mx.oopen.de]
pankow-hilft.de :[a.mx.oopen.de]
presserecht-bundesweit.de :[a.mx.oopen.de]
rajus.de :[a.mx.oopen.de]
reachoutberlin.de :[a.mx.oopen.de]
schule-herzogau.de :[a.mx.oopen.de]
socialfiction.de :[a.mx.oopen.de]
spangenberg-supervision.de :[a.mx.oopen.de]
spjw.de :[a.mx.oopen.de]
tabumove.de :[a.mx.oopen.de]
text-arbeit.net :[a.mx.oopen.de]
traversata-film.de :[a.mx.oopen.de]
vdk-berlin.de :[a.mx.oopen.de]
ware-groesse.de :[a.mx.oopen.de]
wissen-ist-relevant.de :[a.mx.oopen.de]
www.oopen.de :[a.mx.oopen.de]
zahlenkollektiv.org :[a.mx.oopen.de]
## - Domains Ilker
## -
alem.social :[mail.alem.social]
egilstein.de :[mail.alem.social]
ungleichgesinnten.de :[mail.alem.social]
## - mx.gemeinschaft-altenschlirf.de
gemeinschaft-altenschlirf.de :[mx.gemeinschaft-altenschlirf.de]
gemeinschaft-altenschlirf.org :[mx.gemeinschaft-altenschlirf.de]
## - lists.oopen.de
## -
## -
## - create relay-domain list for listserver d.mx.oopen.de
## -
## - cd /data/sympa/list_data
## - for _domain in $(ls) ; do [[ -d "$_domain" ]] && echo -e "$_domain\033[40G:[d.mx.oopen.de]" ; done
## -
lists.aktionsbuendnis-brandenburg.de :[d.mx.oopen.de]
lists.akweb.de :[d.mx.oopen.de]
lists.bilgisaray.org :[d.mx.oopen.de]
lists.cacn.de :[d.mx.oopen.de]
lists.cadus.org :[d.mx.oopen.de]
lists.faire-mobilitaet.de :[d.mx.oopen.de]
lists.fluechtlingsrat-brandenburg.de :[d.mx.oopen.de]
lists.gemeinschaft-altenschlirf.de :[d.mx.oopen.de]
lists.glx-consult.com :[d.mx.oopen.de]
lists.initiativenserver.de :[d.mx.oopen.de]
lists.kar-loh.de :[d.mx.oopen.de]
lists.mahalle.de :[d.mx.oopen.de]
lists.mbr-berlin.de :[d.mx.oopen.de]
lists.oopen.de :[d.mx.oopen.de]
lists.pankow-hilft.de :[d.mx.oopen.de]
lists.schule-in-not.de :[d.mx.oopen.de]
lists.techworkersberlin.com :[d.mx.oopen.de]
lists.visionen-fuer-pankow.de :[d.mx.oopen.de]
## - c.mx.oopen.de
## -
## - create relay-domain list for host ic.mx.oopen.de:
## - cd /var/vmail
## - for _domain in $(ls) ; do [[ -d "$_domain" ]] && echo -e "$_domain\033[40G:[c.mx.oopen.de]" ; done
## -
aktionsbuendnis-brandenburg.de :[c.mx.oopen.de]
brandenburg-nazifrei.de :[c.mx.oopen.de]
haus-der-demokratie-zossen.de :[c.mx.oopen.de]
initiativenserver.de :[c.mx.oopen.de]
kurage.eu :[c.mx.oopen.de]
willkommen-ohv.de :[c.mx.oopen.de]
zossen-zeigt-gesicht.de :[c.mx.oopen.de]
## - so36 - schleuder lists
## -
cryptolists.so36.net :[schleuder3.so36.net]
## - so36 maildomains
## -
## - create relay-domain list for host rage.so36.net:
## - cd /var/vmail
## - for _domain in $(ls) ; do [[ -d "$_domain" ]] && echo -e "$_domain\033[40G:[rage.so36.net]" ; done
## -
absent-friends.org :[rage.so36.net]
antifa.de :[rage.so36.net]
antifa-versand.de :[rage.so36.net]
archiv-kiel.de :[rage.so36.net]
az-wuppertal.de :[rage.so36.net]
bamm.de :[rage.so36.net]
cilip.de :[rage.so36.net]
dosto.de :[rage.so36.net]
g20-doku.org :[rage.so36.net]
hotmehl.com :[rage.so36.net]
kamalatta.de :[rage.so36.net]
kreta-film.net :[rage.so36.net]
libertad.so36.net :[rage.so36.net]
mail36.net :[rage.so36.net]
oh21.de :[rage.so36.net]
ostpack.de :[rage.so36.net]
so36.net :[rage.so36.net]
so36net.de :[rage.so36.net]
socialforum-berlin.org :[rage.so36.net]
speakerinnen.org :[rage.so36.net]
uffmucken-schoeneweide.de :[rage.so36.net]
## - so36 lists on sympa.so36.net
## -
## - create relay-domain list for listserver sympa.so36.net
## -
## - cd /data/sympa/list_data
## - for _domain in $(ls) ; do [[ -d "$_domain" ]] && echo -e "$_domain\033[40G:[mx.lists36.net]" ; done
## -
lists36.net :[mx.lists36.net]
lists.mail36.net :[mx.lists36.net]
lists.so36.net :[mx.lists36.net]
## - codecoop
## -
codecoop.org :[rage.so36.net]